You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/active-directory-msi-cross-tenant-cmk-overview.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ The image below shows a data encryption at rest with federated identity in a cro
22
22
23
23
In the example above, there are two Azure AD tenants: an independent service provider's tenant (*Tenant1*), and a customer's tenant (*Tenant2*). *Tenant1* hosts Azure platform services and *Tenant2* hosts the customer's key vault.
24
24
25
-
A multi-tenant application registration is created by the service provider in *Tenant1*. A [federated identity credential](/azure/active-directory/develop/workload-identity-federation-create-trust-managed-identity-as-credential) is created on this application using a user-assigned managed identity. Then, the name and application ID of the app is shared with the customer.
25
+
A multi-tenant application registration is created by the service provider in *Tenant1*. A [federated identity credential](/azure/active-directory/develop/workload-identity-federation-create-trust) is created on this application using a user-assigned managed identity. Then, the name and application ID of the app is shared with the customer.
26
26
27
27
A user with the appropriate permissions installs the service provider's application in the customer tenant, *Tenant2*. A user then grants the service principal associated with the installed application access to the customer's key vault. The customer also stores the encryption key, or customer-managed key, in the key vault. The customer shares the key location (the URL of the key) with the service provider.
28
28
@@ -48,7 +48,7 @@ Operations in Phase 1 would be a one-time setup for most service provider applic
| 1. | Create a new multi-tenant Azure AD application registration or start with an existing application registration. Note the application ID (client ID) of the application registration using [Azure portal](/azure/active-directory/develop/quickstart-register-app), [Microsoft Graph API](/graph/api/application-post-applications), [Azure PowerShell](/powershell/module/azuread/new-azureadapplication), or [Azure CLI](/cli/azure/ad/app#az_ad_app_create)| None |[Application Developer](/azure/active-directory/roles/permissions-reference.md#application-developer)|
50
50
| 2. | Create a user-assigned managed identity (to be used as a Federated Identity Credential). <br> [Azure portal](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp&preserve-view=true) / [Azure CLI](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azcli&preserve-view=true) / [Azure PowerShell](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-powershell&preserve-view=true)/ [Azure Resource Manager Templates](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-arm&preserve-view=true)|[Manage identity contributor](/azure/role-based-access-control/built-in-roles.md#managed-identity-contributor&preserve-view=true)| None |
51
-
| 3. | Configure user-assigned managed identity as a *federated identity credential* on the application, so that it can impersonate the identity of the application. <br> [Graph API reference](https://aka.ms/fedcredentialapi)/ [Azure portal](/azure/active-directory/develop/workload-identity-federation-create-trust-managed-identity-as-credential)/ [Azure CLI](/azure/active-directory/develop/workload-identity-federation-create-trust-managed-identity-as-credential)/ [Azure PowerShell](/azure/active-directory/develop/workload-identity-federation-create-trust-managed-identity-as-credential)| None | Owner of the application |
51
+
| 3. | Configure user-assigned managed identity as a *federated identity credential* on the application, so that it can impersonate the identity of the application. <br> [Graph API reference](https://aka.ms/fedcredentialapi)/ [Azure portal](/azure/active-directory/develop/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp)/ [Azure CLI](/azure/active-directory/develop/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azcli)/ [Azure PowerShell](/azure/active-directory/develop/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-powershell)| None | Owner of the application |
52
52
| 4. | Share the application name and application ID with the customer, so that they can install and authorize the application. | None | None|
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments